JP6900328B2 - Attack type determination device, attack type determination method, and program - Google Patents

Description

The present invention relates to a technique for determining the type of cyber attack.

As a type of cyber attack, there is an attack that infects a terminal with malware by using an email attachment or the like. After the attack, a terminal infected with malware connects to a C & C (Command and Control) server that relays commands from the attacker, causing further infection spread and information leakage. In order to prevent such infection spread and information leakage, measures such as preparing the domain name of the C & C server in advance and preventing the DNS server such as ISP from resolving the name from the terminal infected with malware are taken. ing.

In addition, various countermeasures such as anti-virus software and UTM (Unified Threat Management) are taken under the CSIRT (Computer Security Incident Response Team) in companies and the like against malware. For example, if you receive a report that a suspicious email has arrived and the attached file cannot be detected by anti-virus software, or if the attached file is infected by dynamic analysis or static analysis using a sandbox. Identify what kind of operation it will take, how to detect / block communication after infection, etc., and take corrective action.

Japanese Unexamined Patent Publication No. 2009-181335

Attacks to infect malware (eg, email attachments mentioned above) are enormous, but CSIRTs, which do not always have abundant resources, are the targets for which details are analyzed and measures are taken. Prioritization is required.

In particular, if it is possible to determine whether the attack being received is a "targeted" attack against a specific organization or a "scattered" attack that is not limited to a specific organization, it is considered to be a higher risk targeted attack. Can be given priority in taking measures against. However, with the prior art, it has been difficult to determine the type of such attack.

The present invention has been made in view of the above points, and an object of the present invention is to provide a technique capable of determining the type of cyber attack.

According to the disclosed technology, it is an attack type determination device that determines the type of attack that causes a terminal to communicate with a specific communication destination.
An input means for inputting communication destination information indicating the communication destination due to the attack to be judged, and
A determination means for determining the type of the attack based on the presence / absence of a name resolution request for which the communication destination information is specified or the source of the name resolution request.
An attack type determination device is provided, which comprises an output means for outputting a determination result by the determination means.

According to the disclosed technology, a technology capable of determining the type of cyber attack is provided.

It is an overall block diagram of the system in Embodiment of this invention. It is a functional block diagram of the attack type determination device 100. It is a functional block diagram of the determination requesting apparatus 300. It is a figure which shows the example of the table stored in the domain information storage part 307. It is a figure which shows the example of the hardware configuration. It is a sequence diagram for demonstrating an operation example. It is a flowchart for demonstrating the attack type determination process.

Hereinafter, embodiments of the present invention (the present embodiments) will be described with reference to the drawings. The embodiments described below are merely examples, and the embodiments to which the present invention is applied are not limited to the following embodiments.

In this embodiment, as a cyber attack, an attack that causes a terminal or the like to communicate with a specific communication destination such as a C & C server is targeted. The attack type determination device 100, which will be described later, determines the type of the attack. In the present embodiment, the domain name is used as the communication destination information indicating the communication destination, but this is an example, and information other than the domain name (example: IP address) is used as the communication destination information. May be good.

(Overall system configuration)
FIG. 1 shows an example of the overall configuration of the system according to the present embodiment. The system shown in FIG. 1 includes a DNS server 200 and an attack type determination device 100 provided in the network 20 of the DNS server operator. The DNS server operator is, for example, an ISP (Internet Service Provider), but is not limited to this. Further, the attack type determination device 100 is provided in the network 20 as an example, and the attack type determination device 100 may be provided in a network other than the network 20.

Further, instead of separately providing the DNS server 200 and the attack type determination device 100, the attack type determination device 100 may be configured to include the function of the DNS server 200.

The DNS server 200 receives the name resolution request specifying the domain name, and returns the IP address corresponding to the domain name to the request source. The DNS server 200 receives name resolution requests (domain names) from networks of various organizations.

The "organization" here is, for example, a specific company. Further, the "organization" may be the entire company of a specific industry. Moreover, the "organization" may be other than these.

In the example of FIG. 1, as an example of the network of a plurality of organizations, the network 10A of the company A, the network 10B of the company B, and the network 10C of the company C are shown. The networks 10A, 10B and 10C are each connected to the network 20.

For example, when a terminal in network 10A performs name resolution for a domain name, the terminal sends a name resolution request to the DNS server 200 and receives an IP address corresponding to the domain name from the DNS server 200. At this time, the DNS server 200 records a log including the domain name related to the name resolution request, the IP address of the source of the name resolution request, and the time when the name resolution request is received. Here, from the IP address of the source, it is possible to grasp that the source is the company A.

The attack type determination device 100 causes the DNS server 200 to perform communication to the domain of a certain domain name based on the source of the name resolution request or the like (in the present embodiment, "target type" or "rose". It is a device having a function of determining "sprinkling type").

For example, the attack type determination device 100 determines that the attack related to the domain name is "target type" when there is no name resolution request for designating the domain name to be determined. The fact that there is no name resolution request for designating the domain name is because it can be estimated that the attack was performed only to the organization that notified the attack type determination device 100 of the domain name to be determined. Further, for example, the attack type determination device 100 determines an attack related to the domain name as "target type" even when the source of the name resolution request for designating the domain name to be determined is one organization. The fact that the source of the name resolution request that specifies the domain name is one organization can be presumed that the attack related to the domain name is regarded by the organization. Note that the source of the name resolution request that specifies the domain name is one organization, for example, when there are multiple "name resolution requests that specify the domain name", the IP of each source. This is the case where the address is the IP address of the one organization.

The determination request device 300 is a device that transmits the domain name of the determination target to the attack type determination device 100 as a determination request. The determination request device 300 may be a device belonging to a network of a certain company (eg, a terminal in the company A), a device belonging to the network 20, or a device belonging to a network other than these. May be good.

(Device configuration example)
<Attack type determination device 100>
FIG. 2 shows an example of the functional configuration of the attack type determination device 100. As shown in FIG. 2, the attack type determination device 100 includes a determination request receiving unit 101, a determination unit 102, a determination result transmission unit 103, a name resolution log storage unit 104, and an address information storage unit 105.

The determination request receiving unit 101 receives, for example, a determination request from the determination request device 300, which specifies the domain name to be determined. Based on the information stored in the name resolution log storage unit 104 and the information stored in the address information storage unit 105, the determination unit 102 determines whether the domain name to be determined is the domain name related to the targeted attack. Alternatively, it is determined whether the domain name is related to the scattered attack. The determination result transmission unit 103 returns the determination result to, for example, the determination request source. In addition to returning the determination result to the determination requester, the determination result transmission unit 103 discloses, for example, the domain name and whether the attack related to the domain name is a target type or a scattered type via the Web. May be good. In either case, the determination result transmission unit 103 corresponds to an output means for outputting the determination result.

The name resolution log storage unit 104 stores the name resolution log. The name resolution log is obtained from the DNS server 200. When the attack type determination device 100 is also a DNS server, the name resolution log is a log obtained by the name resolution process of the attack type determination device 100 itself. As mentioned above, the name resolution log shows the domain name related to the name resolution request, the IP address of the source of the name resolution request, and the time when the name resolution request is received (eg, year / month / day / hour / minute / second). )including.

The address information storage unit 105 stores address information including an IP address and a domain name corresponding to the IP address. The address information may be acquired from the DNS server 200 or may be individually set. When the attack type determination device 100 is also a DNS server, the address information may be information used by the attack type determination device 100 (DNS server) itself for name resolution processing.

Further, it is an example that the address information stored in the address information storage unit 105 is information including an IP address and a domain name corresponding to the IP address. The address information may be any information as long as it can identify the organization from which the name resolution request is sent.

<Judgment request device 300>
FIG. 3 shows an example of the functional configuration of the determination request device 300. As an example, the determination request device 300 in the present embodiment determines whether the URL described in the email body is malignant, and whether the attached file attached to the e-mail is malignant, and if it is determined to be malignant, the URL / It has a function to extract the communication destination (domain name) based on the attached file.

More specifically, as shown in FIG. 3, the determination request device 300 includes the text URL extraction unit 301, the attachment file extraction unit 302, the malignancy determination unit 303, the communication destination domain extraction unit 304, the determination target domain transmission unit 305, and the determination. The result receiving unit 306 and the domain information storage unit 307 are included.

The body URL extraction unit 301 extracts the URL described in the body of the mail received from the mail server or the like. The attachment file extraction unit 302 extracts the attachment file attached to the e-mail.

The malignancy determination unit 303 determines whether the URL extracted by the text URL extraction unit 301 or the attachment file extracted by the attachment file extraction unit 302 is malignant. Judging whether or not it is malignant is an existing technique, and there are a judgment method by dynamic analysis, a judgment method by static analysis, and the like. As an example, a URL or an attached file that causes a connection operation to a communication destination domain that can be presumed to be the domain of a C & C server is determined to be malicious.

The communication destination domain extraction unit 304 extracts the communication destination (here, the domain name) in the connection operation (example: connection operation to the C & C server) executed by the URL or the attached file determined to be malignant by the malignancy determination unit 303. , The domain name is stored in the domain information storage unit 307.

The determination target domain transmission unit 305 transmits the undetermined domain name stored in the domain information storage unit 307 to the attack type determination device 100 as the domain name of the attack type determination target. The determination result receiving unit 306 receives the determination result from the attack type determination device 100, and stores the determination result information in the domain information storage unit 307.

FIG. 4 is a diagram showing an example of a table stored in the domain information storage unit 307. In the example shown in FIG. 4, the table has an ID, a domain name, an attack date and time, an attack ID, an information source, a judgment request transmission date and time, a judgment result reception date and time, and a judgment result. "ID" is the ID of the entry in the table. The "domain name" is the domain name related to the attack to be determined. The "attack date and time" is the date and time when an attack (eg, receiving an e-mail describing a malignant URL, receiving an e-mail with a malignant attachment, etc.) that causes communication to the domain of the domain name is received. The "attack ID" is an ID that identifies an attack.

The "information source" is the original information from which the domain name to be determined is extracted. The "judgment request transmission date and time" is the date and time when the judgment request was transmitted. The "judgment result reception date and time" is the date and time when the judgment result is received. The "judgment result" indicates whether it is a target type or a scattered type.

It should be noted that the determination request device 300 extracts the domain name to be determined and transmits it to the attack type determination device 100 only as an example.

For example, a user may send a domain name that is considered suspicious for some reason from his / her terminal to the attack type determination device 100, and receive the determination result from the attack type determination device 100. Further, the attack type determination device 100 provides the terminal with a Web page for inputting the domain name of the determination target, and the user inputs the determination target domain name on the Web page displayed on the terminal. , The determination target domain name may be transmitted to the attack type determination device 100.

(Hardware configuration example)
Both the attack type determination device 100 and the determination request device 300 can be realized by, for example, causing a computer to execute a program describing the processing contents described in the present embodiment. That is, the functions of the device can be realized by executing a program corresponding to the processing executed by the device using the hardware resources such as the CPU, memory, and hard disk built in the computer. is there. The above program can be recorded on a computer-readable recording medium (portable memory, etc.), stored, and distributed. It is also possible to provide the above program through a network such as the Internet or e-mail.

FIG. 5 is a diagram showing an example of hardware configuration when the device is realized by a computer. The devices shown in FIG. 5 include a drive device 150, an auxiliary storage device 152, a memory device 153, a CPU 154, an interface device 155, a display device 156, an input device 157, and the like, which are connected to each other by a bus B, respectively.

The program that realizes the processing in the apparatus is provided by, for example, a recording medium 151 such as a CD-ROM or a memory card. When the recording medium 151 storing the program is set in the drive device 150, the program is installed in the auxiliary storage device 152 from the recording medium 151 via the drive device 150. However, the program does not necessarily have to be installed from the recording medium 151, and may be downloaded from another computer via the network. The auxiliary storage device 152 stores the installed program and also stores necessary files, data, and the like.

The memory device 153 reads and stores the program from the auxiliary storage device 152 when the program is instructed to start. The CPU 154 (processor) realizes the function related to the device according to the program stored in the memory device 153. The interface device 155 is used as an interface for connecting to a network. The display device 156 displays a programmatic GUI (Graphical User Interface) or the like. The input device 157 is composed of a keyboard, a mouse, buttons, a touch panel, and the like, and is used for inputting various operation instructions.

When the device is operated remotely or the display is performed remotely, the display device 156 and the input device 157 may not be provided.

(Operation example)
Next, an operation example of the system according to the present embodiment will be described with reference to the sequence diagram of FIG.

In S101, as described above, the determination request device 300 analyzes, for example, the URL described in the email body or the attached file attached to the email, so that the domain name related to the attack to be determined (for convenience, for convenience). It may be called "domain name to be judged"). In S102, the determination target domain transmission unit 305 of the determination request device 300 transmits the determination target domain name to the attack type determination device 100.

In S103, the attack type determination device 100 determines the type of attack (target type or scattered type) related to the domain name based on the domain name to be determined. In S104, the determination result transmission unit 103 of the attack type determination device 100 transmits the determination result in S103 to the determination request device 300. In S105, the determination request device 300 stores (registers) the determination result in the domain information storage unit 307.

The attack type determination process in S103 will be described with reference to the flowchart of FIG.

When the determination request receiving unit 101 of the attack type determination device 100 receives the domain name of the determination target, the determination unit 102 acquires the domain name of the determination target from the determination request receiving unit 101 (S201).

The determination unit 102 determines whether or not there is a name resolution request specifying the domain name acquired in S201 by searching the name resolution log storage unit 104 based on the domain name (S202). This determination may be performed by searching the entire name resolution log, or by searching the log range from the latest log to the predetermined time past.

If the determination result in S202 is No (when there is no name resolution request specifying the domain name), the process proceeds to S204, and the determination unit 102 determines that the attack related to the domain name is a target type.

If the determination result in S202 is Yes (when there is a name resolution request specifying the domain name), the process proceeds to S203. In S203, the determination unit 102 determines whether or not the source of the name resolution request for the determination target domain name satisfies a predetermined condition. There is one or more name resolution requests for the domain name to be determined.

The "predetermined condition" is, for example, "the source of the name resolution request for the domain name to be determined is one organization".

For example, the determination unit 102 acquires the IP address (s) of the source of the name resolution request of the domain name to be determined from the name resolution log storage unit 104, and the address information storage unit is based on each IP address. By searching 105, information (example: domain name) indicating the organization (example: company) associated with the IP address is extracted, and the source of the name resolution request of the domain name to be determined is one organization. Determine if it is.

When the condition "the source of the name resolution request of the domain name to be judged is one organization" is used as the "predetermined condition", and the judgment of S203 is Yes (when the predetermined condition is satisfied), S204 In, the determination unit 102 determines that the attack is a targeted attack on the one organization (eg, company A).

When the determination in S203 is No (that is, when there are name resolution requests from a plurality of organizations), it is determined that the attack is a scattered type (S205).

The "predetermined condition" may be that "the source of the name resolution request for the domain name to be determined is one industry".

In this case, for example, the determination unit 102 acquires the IP address (s) of the source of the name resolution request of the domain name to be determined from the name resolution log storage unit 104, and the address is based on each IP address. By searching the information storage unit 105, information (example: domain name) indicating an organization (example: company) associated with an IP address is extracted, and information indicating the organization (one or more) is 1 Determine if it falls under one industry. In this case, for example, in the address information storage unit 105, along with the above-mentioned address information, information in which the organization name and the type of business are associated (eg, the type of business of company X, company Y, and company Z is "telecommunications carrier") It is stored so that the determination unit 102 can determine the type of industry corresponding to the source organization.

When the condition "the source of the name resolution request for the domain name to be determined is one industry" is used as the "predetermined condition", and the determination in S203 is Yes (when the predetermined condition is satisfied), S204. In the determination unit 102, the determination unit 102 determines that the attack is a targeted attack on the one industry (eg, a telecommunications carrier). In addition, "organization" may be broadly interpreted to include "industry" as its meaning.

The above-mentioned "predetermined conditions" are all examples, and the "predetermined conditions" are not limited to specific conditions.

When the attack type determination device 100 also functions as a DNS server, the attack type determination device 100 may perform the same operation as described above or may perform a monitoring operation. In the case of performing the monitoring operation, after S201 in FIG. 7 and before S202, the determination unit 102 monitors the name resolution request specifying the domain name to be determined for a predetermined time, and the domain to be determined is determined. When a name resolution request with a specified name is received, the IP address of the source of the name resolution request is stored in a storage means such as a memory. The information stored in this storage means is an example of a name resolution request log.

If the name resolution request specifying the domain name to be determined is not received, nothing is stored in the storage means. After that, the processing after S202 is performed. In the processing after S202, the information of the transmission source stored in the storage means is used.

Further, when the attack type determination device 100 also functions as a DNS server, the domain name to be determined is used as an element of the blacklist, and the name resolution process is not performed for the name resolution request for which the domain name is specified. It may be that.

Since it is possible to determine whether or not the attack is a targeted attack by the technique described in the present embodiment, it is possible to raise the response priority.

(Summary of embodiments)
As described above, according to the present embodiment, it is an attack type determination device that determines the type of attack that causes the terminal to communicate with a specific communication destination, and indicates the communication destination due to the attack to be determined. The input means for inputting the communication destination information, the determination means for determining the type of the attack based on the presence / absence of the name resolution request for which the communication destination information is specified, or the source of the name resolution request, and the determination means. An attack type determination device is provided, which comprises an output means for outputting a determination result.

The determination request receiving unit 101, the determination unit 102, and the determination result transmitting unit 103 are examples of input means, determination means, and output means, respectively.

The determination means may determine that the type of attack is a target type when there is no name resolution request. The determination means may determine that the type of attack is targeted when the source of the name resolution request is one organization.

When the determination means has the name resolution request and the source of the name resolution request is a plurality of organizations, the determination means may determine that the type of the attack is a scattered type.

The determination means may determine the type of attack based on the log of name resolution requests received by DNS servers used by a plurality of organizations.

Although the present embodiment has been described above, the present invention is not limited to such a specific embodiment, and various modifications and changes can be made within the scope of the gist of the present invention described in the claims. It is possible.

10A-10B Corporate network 20 DNS server operator's network 100 Attack type judgment device 101 Judgment request reception unit 102 Judgment unit 103 Judgment result transmission unit 104 Name resolution log storage unit 105 Address information storage unit 200 DNS server 300 Judgment request device 301 Body URL extraction unit 302 Attached file extraction unit 303 Malicious judgment unit 304 Communication destination domain extraction unit 305 Judgment target domain transmission unit 306 Judgment result reception unit 307 Domain information storage unit 150 Drive device 151 Recording medium 152 Auxiliary storage device 153 Memory device 154 CPU
155 Interface device 156 Display device 157 Input device

Claims (7)

It is an attack type determination device that determines the type of attack that causes the terminal to communicate with a specific communication destination.
An input means for inputting communication destination information indicating the communication destination due to the attack to be judged, and
A determination means for determining the type of the attack based on the presence / absence of a name resolution request for which the communication destination information is specified or the source of the name resolution request.
An attack type determination device including an output means for outputting a determination result by the determination means. The attack type determination device according to claim 1, wherein the determination means determines that the attack type is a target type when there is no name resolution request. The attack type determination device according to claim 1 or 2, wherein the determination means determines that the type of the attack is a target type when the source of the name resolution request is one organization. .. The determination means is characterized in that, when there is the name resolution request and the source of the name resolution request is a plurality of organizations, it is determined that the type of the attack is a scattered type. The attack type determination device according to any one of 3. One of claims 1 to 4, wherein the determination means determines the type of attack based on a log of name resolution requests received by DNS servers used by a plurality of organizations. Attack type determination device described in. This is an attack type determination method executed by the attack type determination device that determines the type of attack that causes the terminal to communicate with a specific communication destination.
An input step for inputting communication destination information indicating the communication destination due to the attack to be judged, and
A determination step for determining the type of attack based on the presence or absence of a name resolution request for which the communication destination information is specified, or the source of the name resolution request.
An attack type determination method including an output step for outputting a determination result by the determination step. A program for causing a computer to function as each means in the attack type determination device according to any one of claims 1 to 5.

Images